From 4f01121f6e598c51e42a69f3fd9a54846013117a Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Sun, 27 Nov 2022 22:02:10 +0100
Subject: [PATCH] Fix memory leak on error in pkcs7_get_signers_info_set

mbedtls_x509_name allocates memory, which must be freed if there is a
subsequent error.

Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53811).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 library/pkcs7.c                                   |   2 +-
 ..._info_set-leak-fuzz_pkcs7-4541044530479104.der | Bin 0 -> 108 bytes
 tests/suites/test_suite_pkcs7.data                |   3 +++
 3 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der

diff --git a/library/pkcs7.c b/library/pkcs7.c
index fc6dd33f3d..e4238b6a38 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -387,7 +387,7 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end,
 
     ret = pkcs7_get_signer_info( p, end_set, signers_set );
     if( ret != 0 )
-        return( ret );
+        goto cleanup;
     count++;
 
     mbedtls_pkcs7_signer_info *prev = signers_set;
diff --git a/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der b/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der
new file mode 100644
index 0000000000000000000000000000000000000000..51aef0d0929043a6c080846758c96bf08a945216
GIT binary patch
literal 108
zcmXrWVq#=8<Tl`BW7Sq+W@2PuFi>FQ)N1o+`_9YA&S+?7APZDrz-_=`$Y#L8#=yhC
l!~mq36ch}Y*cezCVA3LnLJ(;XDFadhBo)BmKZH_H004ib3yc5&

literal 0
HcmV?d00001

diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
index 5ecfb91119..c329a771ee 100644
--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@@ -65,6 +65,9 @@ pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PK
 pkcs7_get_signers_info_set error handling (6213931373035520)
 pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
+pkcs7_get_signers_info_set error handling (4541044530479104)
+pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
 PKCS7 Only Signed Data Parse Pass #15
 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
 pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA